Hi all, I'd like to raise a point related to the discussion about ZooKeeper's minimum supported Java version.
Jetty 9.x is end-of-life and no longer receives OSS security updates. There are unaddressed CVEs that affect the 9.4.x line: - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. - CVE-2025-11143 (Low) – differential URI parsing that can lead to security bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. The catch is that 9.4.59 and 9.4.60 are only available to customers paying for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no longer obtain security fixes for Jetty 9.x through Maven Central. The supported community line is Jetty 12.x, which requires Java 17 as the baseline. In Apache Pulsar, we've had to carry a fairly invasive workaround to upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / shadow the relevant Pulsar-side integration classes (the equivalents of org.apache.zookeeper.server.admin and org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty 12.x even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to drop this hack, but that requires ZooKeeper itself to move off Jetty 9.x. Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java baseline to 17 would unblock the Jetty upgrade and close the CVE exposure for downstream OSS users at the same time. Would the project consider tying the Java 17 baseline discussion to a Jetty 12 migration on the same release line? Happy to help with the migration work if there's interest. -Lari On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: > I’m trying to extract the relevant information from the thread for you. > Previously I wrote something like: > > “… we could make a leap and make JDK 17 the minimum runtime and compile > versions for the master branch. > > Once the change is merged to master, we'll backport it to branch-3.9 as > follows: > > * minimum JDK for building: 17 > * minimum JRE for running: 8 (no change) “ > > As far as I know, that’s what we agreed on, but unfortunately, no one has > been willing to create a PR for it since then. Are you happy to work on it? > > Andor > > > > > On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: > > > > Hi David, > > > > Thank you, your efforts are much appreciated. > > > > Yes. At the moment we still support Java 8 on all active branches. > > There’s only one exception: Owasp build process requires Java 11 to run. > > > > There was a bunch of discussions [1] and [2] recently regarding how > should we > > upgrade and which JDK versions should we support on our branches. You > might > > want to review them before going forward. > > > > [1] https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w > > [2] https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv > > > > Regards, > > Andor > > > > > > > > > >> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: > >> > >> Hi ZooKeeper devs, > >> > >> I started to work on JDK25 support in ZooKeeper. The compilation works > fine > >> but for the tests to work I created ZOOKEEPER-5039 to upgrade Mockito to > >> 5.23.0. > >> > >> I put up #2376 PR and I saw, the GH: Action builds at the moment are > done > >> using Java 8 and Java 11. > >> > >> Mockito 5.x requires Java 11 or higher. It will not work with Java 8. > >> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java 25. > >> > >> Do we have to support Java 8 on ZooKeeper master branch? I did not found > >> any documentation regarding this. > >> > >> Thanks in advance, > >> Dávid > > > >
